Re: OpenSSL 3.0 FIPS questions

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 





On 27/10/2021 17:28, Jason Schultz wrote:
With these config files and the code above, the OSSL_PROVIDER_load(fips_libctx, "fips") call fails. Here are the messages from the ERR_print_errors_fp() call:

2097C692B57F0000:error:1C8000D5:Provider routines:(unknown function):missing config data:providers/fips/self_test.c:289: 2097C692B57F0000:error:1C8000E0:Provider routines:(unknown function):fips module entering error state:providers/fips/self_test.c:387: 2097C692B57F0000:error:1C8000D8:Provider routines:(unknown function):self test post failure:providers/fips/fipsprov.c:706: 2097C692B57F0000:error:078C0105:common libcrypto routines:(unknown function):init fail:crypto/provider_core.c:903:name=fips


This tells us that the fips provider has successfully loaded, but then subsequently failed during its self-test because it cannot find its config data.

I can see that you have created a separate libctx for fips. However automatic loading of the config file only works for the *default* libctx. If you create your own one then you need to explicitly load the config file:

if (!OSSL_LIB_CTX_load_config(fips_libtx, "/usr/local/ssl/openssl.cnf")) {
    /* error handling */
}

Actually if you do this then you should not need to call OSSL_PROVIDER_load() explicitly to load the fips provider since you already activated it in the config file. You can either drop the explicit call to OSSL_PROVIDER_load() for the fips provider, or remove the "activate = 1" line in "fips_sect" in fipsmodule.cnf. This is just a minor optimisation though. Doing both is redundant but harmless. You could also load the base provider via config if you wanted to.

Matt





[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux